±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 35538
New Yesterday: 1 Visitors: 130

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Webinars

Data Recovery Lab

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page Previous  1, 2, 3, 4  Next 
  

jaclaz
Senior Member
 

Re: Data Recovery Lab

Post Posted: Jan 16, 13 00:20

- CopyRight
Great Stuff from everyone, much appritiated, so i get it that most of the people don't agree on the list i've posted earlier. Can anyone suggest a complete set of tools that would favour a medium size data recovery lab?


It seems to me more like most people actually agrees on something

This something is basically the foolishness of making such a list without knowing what exact level of knowledge you (or the people that are going to run the recovery service) ALREADY have AND the EXACT expected "intended customers/offered services".

And please note how this represents a CATCH22, if you (or the people that are going to run the recovery service) had ALREADY *any* experience/knowledge on the specific field (or even on some specific parts of it) you (they) would ALREADY be capable of making such a list.

I guess it's time for another carpenter's comparison. Shocked

One of the simplest tool of the trade is the hammer.
If you are a carpenter, or have some experience as a carpenter you are used to a given type (and size/weight) of hammer.
You will only use effectively that particular type of hammer, and you will find how other carpenters as expert as you are or more expert than you are will use instead a different kind of hammer.
In Italy (as an example) most carpenter's will use either of these types:
www.giemmeargenta.it/n...r-300.html
www.giemmeargenta.it/n...r-400.html
300 g or 400 g head, wooden long handle, simmetric claw
In Germany most carpenters will use this one:
www.gedore.de/en/produ...176,144546
600 g head, shortish metal handle, asimmetric claw

Either tool is very efficient (when used by expert hands) to drive nails into wood (it's primary function), I can assure you, having worked with both italian and german carpenters, even on the same site and on the exact same kind of work, same wood, same nails, that both "styles" are good.

We even made more than once some race (just to see who would pay for the beer after work Wink ) and sometimes the italian team won and sometimes the german one did.

Still, every italian carpenter would not use the "german style" hammer and as well any german carpenter would not use the "italian style" one as fast and as accurately as their own "national" tool.

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 
 
  

CopyRight
Senior Member
 

Re: Data Recovery Lab

Post Posted: Feb 16, 13 15:46

Jaclaz,

If i were to request a training on those tools specified, and i wanted to create a training success indicator list, which means a list of things i will ask the training vendor to ensure deliver to us such as..

1-deep understanding of file systems
2-Introduction to all component of hard drives
3-List of all hard-drive type
4-Capability to understand what part (hardware) is failing and how to replace that specific part
5-Tpyes of all sort of failures (firmware,sector,head...)
6-How to dimentle the hard-drive (different ones)
7- etc....


what other things i should requeset from the vendor? to make sure i get the most out of the training. (hands-on)  
 
  

ThePM
Senior Member
 

Re: Data Recovery Lab

Post Posted: Feb 16, 13 21:08

I love ForensicFocus, but sometimes some posters seem to forget the fact that no one is born with the DR of forensic gene and everybody has to start somewhere... And IMHO, Data recovery is not a discipline that can be done successfully on a shoestring budget. You need good tools to do the job, gain confidence and experience.

I was once in a situation similar to yours as I had to put a DR lab in place for our forensics team. I had basic knowledge about how a drive works, but clearly not enough to do DR.

We bought PC-3000 UDMA and Deepspar Disk Imager without training, thinking that I could learn it by myself, following the manual... Boy was I wrong!! IMO, you really need the training to be able to leverage the power of PC-3000. Deepspar Disk Imager you can learn on your own, it is quite simple to use, but you must read the manual to understand all the options to maximize your chances of recovery.

I disagree with the poster that suggested buying PC-3000 at a later time. I think PC-3000 is a very powerful tool and is essential for diagnostics of a drive, specially for the less experienced technician. PC-3000 can connect to some drives via a serial connection and retrieve debug info or error codes, helping you targeting the issue an thus, the solution. And, as mentionned, it can help deal with firmware (system area) issues such as corrupted modules, corrupted g-list, translator issues, etc.

Here are my 2 cents on what you might need to start doing DR:
1- Training
- I attended the Deepspar Training and I really recommand it. It will give you the rundown on how a drive works, the common problems (and solutions) for each hard drive manufacturers, and how to use PC-3000 for the most common diagnostics and firmware repair jobs. The only problem (and a major one) with the training is that it is a demonstration only. There is no hands-on exercice for the students... You can see the instructor do a PCB swap, head swap, platter swap, etc. But you don't experience it yourself.

- I was told by some people from other Police dept that the training from Scott Moulton is a must-have. It is an intense 5-days training (like 10-12 hours a day). It includes info about how adrive works, but compared to the Deepspar training, it adds logical data recovery, RAID recovery and many hands-on exercices.

2- Software (I can only speak for those that we use)
- PC-3000 UDMA with Data Extractor (believe me, Data Extractor is a must-have if you buy PC-3000)
- R-Studio Network Technician
-RAID Reconstructor

3- Hardware
- Deepspar Disk Imager (with current monitoring, USB, and network add-on)
- Hot air rework station (for performing ROM chip swap and removing fuses)
- Microscope (for inspecting soldering work)
- Good tweezers, torx screwdrivers and precision pliers
- finger cloths
- platter removal tools (we use the ones from SalvationData, but rarely do platter swap...)
- head combs (the ones from CPR Tools are very fragile. We ordered the ones from SalavationData as they seem more sturdy and have a locking pin. HDDSurgery have awesome tools to ease the head swap process (even for less experienced users) but they are quite expensive)

4- Hard drive suppliers
- www.donordrives.com
- accesscomputerparts.com
- ebay (be careful because often no garantee of working parts)

5- Reference sites
- www.hddguru.com
- Deepspar user forum
- acelab forum

Hope this helps.

PM
_________________
Pierre-Marc Cayer
Forensic Investigator 
 
  

jaclaz
Senior Member
 

Re: Data Recovery Lab

Post Posted: Feb 16, 13 22:43

- CopyRight

what other things i should requeset from the vendor? to make sure i get the most out of the training. (hands-on)

Here is the point.
As I see it any of the mentioned tools is just a tool Wink .
They are pretty much useless unless you are trained to use them.

But a "vendor's course" tends to focus (obviously) on the use of the specific tool, I doubt that any will deliver the items that you list.

You need a deep knowledge of the theory behind first.

Without it, a "vendor's course" risks to become wasted money as they are - generally speaking - aimed to already knowledgeable people, or - on the other hand - give you only the "vendor's version" of the story.

To go back to the hammer's comparison, you can train anyone in near to no time to use a given type of hammer, and very soon he/she will able to plant effectively a nail in the wood, BUT an experienced carpenter knows also, as an example:
  • where exactly the nail need to go
  • at which exact angle it needs to go in
  • the exact number of nails needed to have a solid junction between two planks
If you get only a course by the guy who sells hammers (and nails) you will be taught about using ONLY their nails, with ONLY their hammers (and possibly you will be taught how - say - you need at least 15 nails per junction - while 5 are more than enough).

Data recovery is - still IMHO - not an "industrial" kind of work, you (or the people working for you) need to be not "workers", but artisans (I would dare to say "artists"), as what you will get will vary greatly.

You need first "generic" courses (that should cover the items you listed) and only later take the specific vendor's courses, by the time you will have had the "generic" training, you will be able to test yourself the tools and decide which one is more suited, more handy, more effective, etc.

Besides the PC-3000 (which is a "must have") your choice of the other tools is as good as anyone else's (but as said you can find working alternatives - at least for the pure "hardware" part - for less money) but the point is still that any trained operator will have his/her own preferences, be familiar with one tool and not with the other, etc., i.e. it's the actual people (and their knowledge, and there expereince) that make a successful data recovery, the tools are a needed but not "only" part of the business.

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 
 
  

CopyRight
Senior Member
 

Re: Data Recovery Lab

Post Posted: Feb 17, 13 10:35

Oh Boy Jaclaz i can't beleive it you were a DR newbie one day, look at you now! a DR guru! *Bless*!

Very well explained and said, anyhow i asked this because the vendor has proposed the tools i've shared with you guys in the start of this thread, they've also said that a professional instructor will give us a training, an intructor that does not belong to any of the tools companys, a professioanl person that has experience on all the tools that we are going to purchase.

I know you've got skills to work on most of the tools listed right? what would you teach us if you were an instructor? 1,2,3,4,5...?

Thanks!  
 
  

jaclaz
Senior Member
 

Re: Data Recovery Lab

Post Posted: Feb 17, 13 18:54

- CopyRight

Very well explained and said, anyhow i asked this because the vendor has proposed the tools i've shared with you guys in the start of this thread, they've also said that a professional instructor will give us a training, an intructor that does not belong to any of the tools companys, a professioanl person that has experience on all the tools that we are going to purchase.


That's good, but if I get it right, basically you are relying on an external (qualified as it might be) vendor to setup your lab and train the people in an initial (limited) amount of time.

If you believe that this approach (again with the best instructor you can have) is actually enough to create "from nothing" a data recovery lab, that's fine, but allow me to be doubt that it will work.

My belief is that after a training, again even an excellent one or the best one you can get, the result will be a number of - no offence whatever intended - (very well) trained monkeys, capable of doing a given set of activities exactly and with precision, but lacking the capabilities to tackle some of the "real world problems" or do so effectively and correctly.
Of course I may well be pessimistic, but I am actually trying to be pragmatic.

- CopyRight

I know you've got skills to work on most of the tools listed right?

Not really, I can use some of the tools in the list, but I am no "pro".

- CopyRight

what would you teach us if you were an instructor? 1,2,3,4,5...?

How long is the course (how many hours, over which period of time)?
More than that which is the current "level" of the people that will work in the laboratory?
I mean are they "average joe's", qualified technicians, university degree in the field, long time electronic repairmen?

OT, but not much, from "From Russia with love" Wink
www.imdb.com/title/tt0...=qt0335904

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 
 
  

CopyRight
Senior Member
 

Re: Data Recovery Lab

Post Posted: Feb 18, 13 11:26

Lol, Yeah i can see you being pragmatic.

How long is the course (how many hours, over which period of time)?
More than that which is the current "level" of the people that will work in the laboratory?
I mean are they "average joe's", qualified technicians, university degree in the field, long time electronic repairmen?

Regarding the duration of the training, its around 10 days, the participants will be Qualified Forensic Investigators.

what do you recon?

Cheers  
 

Page 3 of 4
Page Previous  1, 2, 3, 4  Next